X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=test%2Frecipes%2F70-test_tls13downgrade.t;h=bdb360a7dcd5c39f52659f1b737f45e4414482ad;hb=11e1807b212e818458c2ff9ba6dfc520aee94354;hp=6719d18a69446da59c56e23c810c7de1ed8ad5ec;hpb=b9647e34ff67f0f7af19a7775fc3f8846a30ac2e;p=openssl.git diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t index 6719d18a69..bdb360a7dc 100644 --- a/test/recipes/70-test_tls13downgrade.t +++ b/test/recipes/70-test_tls13downgrade.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -15,7 +15,7 @@ my $test_name = "test_tls13downgrade"; setup($test_name); plan skip_all => "TLSProxy isn't usable on $^O" - if $^O =~ /^(VMS|MSWin32)$/; + if $^O =~ /^(VMS)$/; plan skip_all => "$test_name needs the dynamic engine feature enabled" if disabled("engine") || disabled("dynamic-engine"); @@ -26,10 +26,6 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled" if disabled("tls1_3") || disabled("tls1_2"); -# TODO(TLS1.3): Enable this when TLSv1.3 comes out of draft -plan skip_all => "$test_name not run in pre TLSv1.3 RFC implementation" - if disabled("tls13downgrade"); - $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( @@ -41,14 +37,15 @@ my $proxy = TLSProxy::Proxy->new( use constant { DOWNGRADE_TO_TLS_1_2 => 0, - DOWNGRADE_TO_TLS_1_1 => 1 + DOWNGRADE_TO_TLS_1_1 => 1, + FALLBACK_FROM_TLS_1_3 => 2, }; #Test 1: Downgrade from TLSv1.3 to TLSv1.2 $proxy->filter(\&downgrade_filter); my $testtype = DOWNGRADE_TO_TLS_1_2; $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 3; +plan tests => 6; ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.2"); #Test 2: Downgrade from TLSv1.3 to TLSv1.1 @@ -64,6 +61,35 @@ $proxy->serverflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->fail(), "Downgrade TLSv1.2 to TLSv1.1"); +#Test 4: Client falls back from TLSv1.3 (server does not support the fallback +# SCSV) +$proxy->clear(); +$testtype = FALLBACK_FROM_TLS_1_3; +$proxy->clientflags("-fallback_scsv -no_tls1_3"); +$proxy->start(); +my $alert = TLSProxy::Message->alert(); +ok(TLSProxy::Message->fail() + && !$alert->server() + && $alert->description() == TLSProxy::Message::AL_DESC_ILLEGAL_PARAMETER, + "Fallback from TLSv1.3"); + +SKIP: { + skip "TLSv1.1 disabled", 2 if disabled("tls1_1"); + #Test 5: A client side protocol "hole" should not be detected as a downgrade + $proxy->clear(); + $proxy->filter(undef); + $proxy->clientflags("-no_tls1_2"); + $proxy->start(); + ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole"); + + #Test 6: A server side protocol "hole" should not be detected as a downgrade + $proxy->clear(); + $proxy->filter(undef); + $proxy->serverflags("-no_tls1_2"); + $proxy->start(); + ok(TLSProxy::Message->success(), "TLSv1.2 server-side protocol hole"); +} + sub downgrade_filter { my $proxy = shift; @@ -76,18 +102,25 @@ sub downgrade_filter my $message = ${$proxy->message_list}[0]; my $ext; - if ($testtype == DOWNGRADE_TO_TLS_1_2) { - $ext = pack "C3", - 0x02, # Length - 0x03, 0x03; #TLSv1.2 + if ($testtype == FALLBACK_FROM_TLS_1_3) { + #The default ciphersuite we use for TLSv1.2 without any SCSV + my @ciphersuites = (TLSProxy::Message::CIPHER_RSA_WITH_AES_128_CBC_SHA); + $message->ciphersuite_len(2 * scalar @ciphersuites); + $message->ciphersuites(\@ciphersuites); } else { - $ext = pack "C3", - 0x02, # Length - 0x03, 0x02; #TLSv1.1 + if ($testtype == DOWNGRADE_TO_TLS_1_2) { + $ext = pack "C3", + 0x02, # Length + 0x03, 0x03; #TLSv1.2 + } else { + $ext = pack "C3", + 0x02, # Length + 0x03, 0x02; #TLSv1.1 + } + + $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); } - $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); - $message->repack(); }